Bug 9972

Summary: Incorrect permissions on nrpe pid file
Product: Mageia Reporter: claire robinson <eeeemail>
Component: RPM PackagesAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: luigiwalser, luis.daniel.lucio, oe, sysadmin-bugs, tmb
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
Whiteboard: MGA2TOO has_procedure mga3-32-ok mga3-64-ok mga2-32-ok mga2-64-ok
Source RPM: nrpe CVE:
Status comment:

Description claire robinson 2013-05-03 20:18:55 CEST 
Please refer to bug 9615

When stopping/restarting the nrpe service..

nrpe[18832]: Caught SIGTERM - shutting down...
nrpe[18832]: Cannot remove pidfile '/var/run/nrpe/nrpe.pid' - check your privileges.
nrpe[18832]: Daemon shutdown
nrpe[19974]: Stopping nrpe: [  OK  ]

# ll /var/run/nrpe/nrpe.pid
-rw-r--r-- 1 root root 6 May  3 18:16 /var/run/nrpe/nrpe.pid

nrpe runs as user/group nagios

It doesn't prevent the service stopping or restarting but does leave the pid file behind.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-05-03 20:32:44 CEST 
Possibly /var/run/nrpe should be owned by nagios:nagios, i.e. this in %files:
%attr(0755,nagios,nagios) %dir %{_var}/run/%{name}

This would also affect the Cauldron version, as it has a tmpfiles conf:
d /run/nrpe   755 root root

Speaking of which, Daniel and Guillaume have competing commits in Cauldron adding and removing the /run/nrpe directory in the SPEC.  Guillaume was correct to remove what Daniel added to the SPEC for that, but I see why Daniel thought it was needed.  /run/nrpe isn't created immediately upon package installations, because this is missing from %post:
%_tmpfilescreate %{name}

That should be added before the %_post_service %{name} line.

CC: (none) => luigiwalser

Comment 2 David Walser 2013-08-13 22:58:48 CEST 
Fixed in Cauldron in nrpe-2.14-2.mga4.

Fixed in SVN for Mageia 2 and Mageia 3.  The next security update will fix this.

Version: 2 => 3
Whiteboard: (none) => MGA2TOO

Comment 3 David Walser 2013-08-14 00:54:07 CEST 
Claire, if you wouldn't mind testing this on Mageia 3, since the /run/nrpe directory isn't created at all currently (because of the missing _tmpfilescreate), this might be a more serious issue there.  If so, we could go ahead and update this now.
Comment 4 claire robinson 2013-08-14 08:03:23 CEST 
There is a clear problem this time, the service fails to start after a timeout saying it cannot create the pid file. It does actually start it but then kills it after the timeout.

$ ps aux | grep nrpe | grep -v grep
root      9269  0.0  0.0  20528  1092 pts/1    S+   06:56   0:00 /bin/systemctl start nrpe.service
nagios    9281  0.0  0.0  39536  1316 ?        Ss   06:56   0:00 /usr/sbin/nrpe -c /etc/nagios/nrpe.cfg -d

# service nrpe start
Redirecting to /bin/systemctl start nrpe.service                                                                                             
Job for nrpe.service failed. See 'systemctl status nrpe.service' and 'journalctl -n' for details.                                            

# service nrpe status
Redirecting to /bin/systemctl status nrpe.service
nrpe.service - Nagios Remote Plugin Execution daemon
          Loaded: loaded (/usr/lib/systemd/system/nrpe.service; enabled)
          Active: failed (Result: timeout) since Wed, 2013-08-14 06:58:17 BST; 24s ago
         Process: 9280 ExecStart=/usr/sbin/nrpe -c /etc/nagios/nrpe.cfg -d (code=exited, status=0/SUCCESS)
          CGroup: name=systemd:/system/nrpe.service

systemd[1]: Starting Nagios Remote Plugin Execution daemon...
nrpe[9281]: Starting up daemon
nrpe[9281]: Cannot write to pidfile '/run/nrpe/nrpe.pid' - check your privileges.
nrpe[9281]: Listening for connections on port 5666
nrpe[9281]: Allowing connections from: 127.0.0.1
systemd[1]: Failed to start Nagios Remote Plugin Execution daemon.
systemd[1]: Unit nrpe.service entered failed state

$ ps aux | grep nrpe | grep -v grep
$
Comment 5 claire robinson 2013-08-14 08:04:34 CEST 
It's not creating the /run/nrpe directory
Comment 6 David Walser 2013-08-14 14:00:12 CEST 
Thanks Claire, that's what I was expecting.  Let's fix this then.

Advisory:
----------------------------------------

Various issues with the directory that the NRPE service uses to store its PID
file have been corrected.

----------------------------------------
Updated packages in core/updates_testing:
----------------------------------------
nrpe-2.14-1.1.mga2
nagios-check_nrpe-2.14-1.1.mga2
nrpe-2.14-1.1.mga3
nagios-check_nrpe-2.14-1.1.mga3

from SRPMS:
nrpe-2.14-1.1.mga2.src.rpm
nrpe-2.14-1.1.mga3.src.rpm

CC: (none) => luis.daniel.lucio
Assignee: luis.daniel.lucio => qa-bugs

Comment 7 claire robinson 2013-08-14 16:37:52 CEST 
Testing complete mga3 64

After update..

# service nrpe start
Redirecting to /bin/systemctl start nrpe.service

# service nrpe status
Redirecting to /bin/systemctl status nrpe.service
nrpe.service - Nagios Remote Plugin Execution daemon
          Loaded: loaded (/usr/lib/systemd/system/nrpe.service; enabled)
          Active: active (running) since Wed, 2013-08-14 15:30:00 BST; 1min 59s ago
         Process: 12393 ExecStart=/usr/sbin/nrpe -c /etc/nagios/nrpe.cfg -d (code=exited, status=0/SUCCESS)
        Main PID: 12394 (nrpe)
          CGroup: name=systemd:/system/nrpe.service
                  รข 12394 /usr/sbin/nrpe -c /etc/nagios/nrpe.cfg -d

systemd[1]: Starting Nagios Remote Plugin Execution daemon...
nrpe[12394]: Starting up daemon
systemd[1]: Started Nagios Remote Plugin Execution daemon.
nrpe[12394]: Listening for connections on port 5666
nrpe[12394]: Allowing connections from: 127.0.0.1

# ll -d /run/nrpe
drwxr-xr-x 2 nagios nagios 60 Aug 14 15:30 /run/nrpe/

# ll /run/nrpe
total 4
-rw-r--r-- 1 root root 6 Aug 14 15:30 nrpe.pid

# netstat -pant | grep nrpe
tcp   0   0 0.0.0.0:5666   0.0.0.0:*  LISTEN  12394/nrpe 

# /usr/lib64/nagios/plugins/check_nrpe -H localhost
NRPE v2.14         


# service nrpe stop
Redirecting to /bin/systemctl stop nrpe.service

# service nrpe status
Redirecting to /bin/systemctl status nrpe.service
...
systemd[1]: Stopping Nagios Remote Plugin Execution daemon...
systemd[1]: Stopped Nagios Remote Plugin Execution daemon.

# /usr/lib64/nagios/plugins/check_nrpe -H localhost
Connection refused by host

# ll /run/nrpe
total 0

Whiteboard: MGA2TOO => MGA2TOO has_procedure mga3-64-ok

Comment 8 claire robinson 2013-08-14 19:50:09 CEST 
Testing complete mga2 32

The pid files are stored in a different place on mga2, /var/run/

# service nrpe start
Starting nrpe (via systemctl):                                  [  OK  ]

# ll /var/run/nrpe/
total 4
-rw-r--r-- 1 root root 6 Aug 14 18:45 nrpe.pid

# ll -d /var/run/nrpe/
drwxr-xr-x 2 nagios nagios 4096 Aug 14 18:45 /var/run/nrpe//

# /usr/lib/nagios/plugins/check_nrpe -H localhost
NRPE v2.14

# service nrpe stop
Stopping nrpe (via systemctl):                                  [  OK  ]

# /usr/lib/nagios/plugins/check_nrpe -H localhost
Connection refused by host

# ll /var/run/nrpe/
total 0

Whiteboard: MGA2TOO has_procedure mga3-64-ok => MGA2TOO has_procedure mga3-64-ok mga2-32-ok

Comment 9 claire robinson 2013-08-15 08:42:31 CEST 
Testing complete mga2 64

Whiteboard: MGA2TOO has_procedure mga3-64-ok mga2-32-ok => MGA2TOO has_procedure mga3-64-ok mga2-32-ok mga2-64-ok

Comment 10 claire robinson 2013-08-15 08:42:45 CEST 
Advisory uploaded
Comment 11 claire robinson 2013-08-15 09:23:05 CEST 
Testing complete mga3 32

Validating

Could sysadmin please push from 2 & 3 core updates testing to updates

Thanks!

Keywords: (none) => validated_update
Whiteboard: MGA2TOO has_procedure mga3-64-ok mga2-32-ok mga2-64-ok => MGA2TOO has_procedure mga3-32-ok mga3-64-ok mga2-32-ok mga2-64-ok
CC: (none) => sysadmin-bugs

Comment 13 David Walser 2013-08-16 12:48:01 CEST 
(In reply to Oden Eriksson from comment #12)
> FYI:
> http://svn.mandriva.com/viewvc/packages/cooker/nrpe/current/SPECS/nrpe.
> spec?r1=535273&r2=544448

Yeah guillomovitch likes to do that, but for /var/run/nrpe, that looks wrong.  Not sure I see the purpose in pointing this commit out though...
Comment 14 Thomas Backlund 2013-08-17 10:25:57 CEST 
Update pushed:
http://advisories.mageia.org/MGAA-2013-0085.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED